marco/ids.alfacom.it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
db54fc3235
ids.alfacom.it/deployment/rsyslog/README.md
marco370 c9b2a8a9a9 Set up system to receive and store MikroTik logs 
Add rsyslog configuration for receiving MikroTik logs via UDP, store them in a dedicated file, and prevent duplicates in system messages.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: b452008c-bd98-4e68-81a9-f20d3f714372
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/DR50xVM
2025-11-21 17:26:52 +00:00

94 lines
2.3 KiB
Markdown
Raw Blame History

# RSyslog Configuration - IDS MikroTik
## Overview
Configurazione RSyslog per ricevere log dai router MikroTik via UDP:514 e salvarli in file dedicato senza duplicare in `/var/log/messages`.
## File
- **99-mikrotik.conf**: Configurazione rsyslog
- Template custom `MikroTikRawFormat` (salva log raw)
- Ruleset dedicato `mikrotik` con STOP (evita duplicati)
- Input UDP:514 per log MikroTik
- Permessi automatici: utente `ids`, gruppo `ids`
## Installazione Automatica
```bash
cd /opt/ids
sudo ./deployment/setup_rsyslog.sh
```
Lo script:
1. Rimuove vecchie configurazioni conflittuali
2. Installa `99-mikrotik.conf` in `/etc/rsyslog.d/`
3. Crea directory `/var/log/mikrotik/` con permessi corretti
4. Verifica sintassi rsyslog
5. Configura firewall (UDP:514)
6. Riavvia rsyslog
## Verifica Funzionamento
```bash
# Verifica rsyslog in ascolto su UDP:514
netstat -ulnp | grep 514
# Monitora log in arrivo
tail -f /var/log/mikrotik/raw.log
# Verifica permessi
ls -lh /var/log/mikrotik/raw.log
# Output atteso: -rw-r--r-- ids ids
```
## Configurazione Router MikroTik
Configura i router per inviare log al server:
```
/system logging action
add name=remote-ids target=remote remote=<IP_SERVER> remote-port=514
/system logging
add action=remote-ids topics=firewall
```
## Troubleshooting
### Errore: Template già impostato
```
error: omfile: default template already set via module global parameter
```
**Soluzione**: Lo script rimuove automaticamente vecchie configurazioni conflittuali.
### Log duplicati in /var/log/messages
La configurazione usa `stop` nel ruleset per evitare propagazione.
### Permessi negati
```bash
# Verifica/ripara permessi
sudo chown -R ids:ids /var/log/mikrotik/
sudo chmod 755 /var/log/mikrotik/
sudo chmod 644 /var/log/mikrotik/raw.log
```
### Firewall blocca UDP:514
```bash
sudo firewall-cmd --permanent --add-port=514/udp --zone=public
sudo firewall-cmd --reload
```
## File Log
- **Path**: `/var/log/mikrotik/raw.log`
- **Owner**: `ids:ids`
- **Permissions**: `0644`
- **Format**: Raw syslog message (no timestamp/hostname prefix)
## Note Tecniche
- **Sintassi moderna**: rsyslog v8+ con `template()`, `ruleset()`, `action()`
- **No legacy syntax**: Evita conflitti con `$ActionFileDefaultTemplate`
- **Ruleset dedicato**: Isolamento completo per log MikroTik
- **STOP directive**: Previene duplicazione in altri file log
Reference in New Issue View Git Blame Copy Permalink